Navigating the Safe Harbor storm

EU-US Privacy

Since the Court of Justice of the EU nullified the EU-US Safe Harbor Framework on October 6th, businesses, regulators and European rule makers have been working hard to put together an appropriate response.

This article aims to summarize the events of the past month and assesses the different remaining options for transferring personal data from the EU to the US.

Explore Content

European Commission: Working towards Safe Harbor 2.0

Immediately after the Court's ruling, the European Commission, which has the power to declare other countries safe enough to transfer personal data into, emphasized that it has been working with the US on a new Safe Harbor framework since 2013. At the same time, Justice Commissioner Vera Jourová stressed that alternative transfer mechanisms for data exports to the US, such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (i.e. EU Model Contracts), were still valid and would remain viable options. In addition, the Commissioner called upon the EU’s 28 data protection regulators to work together on a uniform interpretation of the ruling, to ensure business certainty and the continuation of Transatlantic data flows, which she called “the backbone of the European economy”.

Announced guidance on how to transfer data to the EU after the invalidation of Safe Harbor

On November 6th, the Commission issued its announced guidance on how to transfer data to the EU after the invalidation of Safe Harbor, in which it again confirmed that the alternative data transfer mechanisms remain valid options. The guidance document however also stressed that data exporters using BCRs or Model Contracts are responsible for ensuring that transfers take place with sufficient safeguards. This may entail taking technical, organisational, business-model related or legal measures, or suspending the transfer altogether. Ultimately, the Data Protection Authorities (DPAs) have to assess, in full independence and on a case-by-case basis, whether sufficient safeguards are in place to approve a transfer based on alternative transfer mechanisms. The European Commission will however work with the DPAs to ensure a uniform application of data protection law across the EU. 

Negotiations with the US on a new framework

The Commission further stated that its objective is to conclude the negotiations with the US on a new framework to replace Safe Harbor within 3 months. In a statement to the European Parliament on October 26th, Commissioner Jourová had already revealed that the EU and US had reached agreement in principle on key elements of the new Safe Harbour framework, but admitted that provisions regarding the possible access of data by public authorities for law enforcement and national security purposes remains the biggest challenge in the negotiations.

Regulators set January 2016 deadline for negotiations; accept alternative transfer options for now

According to the EU’s privacy regulators (Data Protection Authorities or DPAs), the accessing of European personal data by US intelligence services which Commissioner Jourová alluded to, is key to understanding the CJEU’s ruling. In a common statement on October 16th, the DPAs called upon the EU Member States and the European Commission to find “political, technical and legal solutions” that enable data transfers to the US, whilst respecting fundamental rights. The DPAs acknowledged that a new Safe Harbor framework could be a part of the solution, but set strict requirements for it to be acceptable as well as a clear deadline for the negotiations. If by 31 January 2016 no solution is found, the regulators will take “all necessary and appropriate actions, which may include coordinated enforcement actions”.

The DPAs also called into question whether alternative transfer mechanisms will still be valid in the future, as BCRs or EU Model Contracts do not protect European data subjects from “massive and indiscriminate surveillance” either. In their common statement, the DPAs committed to accepting these alternatives at least until the end of January 2016. However, the DPAs of Germany have unilaterally deviated from this standpoint, announcing that they will no longer issue new authorizations for data transfers to the United States that are based on BCRs or ad-hoc data transfer agreements.

An overview of your options

In an attempt to provide clarity, the following tables give a general overview of the possible ways to transfer personal data from the EU to the US, with their respective common advantages and drawbacks.

The below list provides an overview of how things stand as of 11 November 2015. Due to the volatile legal climate, this assessment may change quickly, following for example guidance issued by the European Commission, the evolution of the negotiations on a new Safe Harbor framework, or a re-assessment of BCRs and Model Contracts by the data protection authorities (DPAs). The Safe Harbor ruling will be a key topic during a meeting that Commissioner Jourova will have with her US counterpart in Washington DC in the week of 17 November 2015. In addition, the Article 29 Working Party, which convenes all the DPAs of EU Member States, will discuss the Safe Harbor fall-out again at the end of November.  

Safe Harbor

  • Minimal certification cost
  • Compliance implies integration of the Safe Harbor privacy principles in the organization’s policies & procedures
  • Invalidated by the Court of Justice of the EU ruling
  • Only covers data transfers from EU/Switzerland to the US Safe Harbor certified company
  • Provides the US FTC with enforcement powers
Accepted by DPAs?

No. Invalidated by the CJEU in the Schrems v. Data Protection Commissioner case (C-362/14).

Binding Corporate Rules

  • Compliance integrates EU privacy requirements into the core policies & procedures of the group
  • 1 solution usable for all data transfers outside the EU (not just to the USA)
  • Long approval process, requires extensive documentation and resources
  • Strong privacy governance (responsibilities) required
  • The EU headquarters can be held accountable for BCR non-compliance of non-EU group entities who received EU data
Accepted by DPAs?

Yes. By all DPAs except Germany's, until at least January 31st 2016.

Standard Contractual Clauses (EU Model Contracts)

  • Requires no drafting of contractual clauses – mandatory contractual clauses are available online
  • Pre-approved by DPAs, so far never challenged
  • Only useable for well-defined transfers
  • Contractual administration challenges at time of signature and in case an update is needed
  • Risk of creating a paper tiger: strong contractual guarantees, without compliance in practice
Accepted by DPAs?

Yes. Accepted by all DPAs, until at least January 31st 2016.

Ad-hoc data transfer agreements

  • More drafting flexibility than EU Model Contracts
  • Easier to adapt to changing transfers
  • More drafting time and resources needed
  • Approval of DPAs needed and not guaranteed
Accepted by DPAs?

Yes. By all DPAs except Germany's, until at least January 31st 2016.

Derogations in the law (e.g. consent)

  • Clear exceptions provided in EU Data Protection Directive (EC/95/46)
  • Derogations interpreted restrictively, not a stable solution
  • Likely only accepted if the transfer is neither massive nor frequent
  • Consent needs to be informed, specific and freely given, which is in many cases very hard if not impossible to obtain
Accepted by DPAs?

Only if strict conditions (informed, specific and freely given) are fully met, and not for repeated, mass or structural transfers.


For now, we strongly recommend to verify whether any personal data transfers to the US in your organisation are still based on the invalidated Safe Harbor framework. If this is the case, you should consider reviewing your overall data transfer strategy and assess whether any of the remaining options for transferring data to the US would be viable in your specific situation.

As for the long-term viability of alternative transfer mechanisms, beyond January 2016, the future is uncertain. We recommend therefore to focus on elements that can show to DPAs that the CJEU’s message was taken into account in your organization. Assess whether you are able to justify why the cross-border transfer is necessary, and if possible even whether the transfer benefits the data subject. Transparent privacy policies and procedures, well-documented data minimization strategies and data retention policies as well as IT security measures such as end-to-end encryption should help build your case for sustained transatlantic data transfers in the future.

Download this article in pdf

Contact us

For data transfer strategy advice tailored to the needs of your organization, please contact Erik Luysterborg or Georgia Skouma.

Did you find this useful?